In Kind Direct Privacy Notice
Last updated August 2023
We are committed to protecting your privacy and couldn’t do what we do without your support and the information we hold. We will always respect any personal information we hold, and strive to keep it safe.
This notice tells you what you can expect us to do with your personal information, why we collect it, and how we keep it secure. We make every effort to ensure your personal information is processed in a fair and transparent way, in line with the General Data Protection Regulation (GDPR) 2018, UK Data Protection Act (DPA) 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR).
The In Kind Direct group includes In Kind Direct, a registered charity (charity number: 1052679), In Kind Direct International, a registered charity (charity number: 1157417) and Trading IK, the wholly owned trading subsidiary of In Kind Direct (company number: 06950193). All organisations in the In Kind Direct Group work to this privacy notice.
What is the purpose of this notice?
This Policy sets out why we collect personal data about individuals and how we use it. It also explains the legal basis for this and the rights you have regarding the way your personal data is used. In complying with data protection law and principles, your data will be:
- Used lawfully, fairly and in a transparent way
- Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes
- Relevant to the purposes we have told you about and limited only to those purposes
- Accurate and kept up to date as far as we reasonably can
- Kept only as long as necessary for the purposes we have told you about
- Kept securely
When do we collect personal information about you?
We may collect personal information about you in the following ways:
When you give it to us directly, for example if you:
- Apply for a job or to be a volunteer
- Sign up to receive information
- Support us through a donation
- Take part in events
- Submit a query, give us feedback or make a complaint
- Express interest in working with us to receive or provide products
- Enter into a contract or agreement with us
- Have your photograph taken, participate in filming, or supply a case study
When we collect it indirectly if you interact with one of our partners (e.g. making a secure payment online, or one of our affiliate partners). Your personal information may have been provided to us by others, with your consent. For example, by a colleague, or an organisation you get support from.
When it is available publicly. We may for example gather contact details to increase our network of those that can support us, or that we can support. This could include from online articles, newspapers, public registers, websites and social media platforms. The information on social media platforms is only accessible based on the permission you give through those services directly.
We might also gather publicly available information about those interested in supporting organisations like us in the future. This is so we can contact you in the most appropriate way and enables us to raise funds sooner and more cost-effectively. We will not keep potential supporters’ publicly available information without seeking their consent at the earliest practical opportunity.
What types of data do we collect?
Personal data we collect:
- contact details (email address, phone numbers and postal addresses)
- role within your organisation
- records of your correspondence with us
- recordings of phone calls made to us
- your marketing preferences
- payment information
- photos, stories and videos
- records of your support of In Kind Direct including for claiming Gift aid
- records of your purchases or orders
- data from your visits to our website or opening our emails, using cookies
- applications to work or volunteer with us, which might include your education, career, unspent convictions, right to work in the UK and data relating to diversity
If you contact us for any other reason we will collect your name, contact details and any information you provide to us as part of that interaction.
If you make a card payment to us, this is done securely and in accordance with the Payment Card Industry Data Security Standard (PCI DSS). We do not store card payment details, and work with third parties including Opayo and JustGiving who process transactions on our behalf.
Sensitive personal information
Data protection law recognises certain categories of personal information are sensitive and therefore require more protection. This includes information about your race or ethnicity, political opinions, sex life or sexual orientation, religious beliefs and health data. There are further rules concerning the use of criminal data.
Most commonly, we will process special categories of data if: you have given explicit consent to the processing; or we must process the data to carry out our legal or contractual obligations; or you have already made the data public. If you choose to proactively share sensitive information with us, for example in a phone call, this data will be retained in line with our general policies.
We will use your special category data for the purposes of providing catering and accessibility at events, equal opportunities monitoring and to make reasonable adjustments for example, to attend an interview or take up a role with us. This may involve sharing or receiving data from third parties such as employment agencies.
How do we use your data?
We will use your data to deliver our work and provide the best service to you:
- Delivering our work with charitable organisations, companies, funders and individuals
- Marketing communications to provide information about our work, activities and campaigns
- To reengage charitable organisations, companies and supporters that have previously worked with us, and may reasonably be interested in working with us again. We will always provide a way for you to opt-out of such communications.
- Administrative communications to fulfil our service and any contracts, including distributing orders to our charitable network and confirming product donations with companies. This will include sharing data with third parties such as our logistics service providers and couriers
- Fundraising in a reasonable and expected way, primarily by email, including claiming Gift Aid
- Recruitment of staff and volunteers
- Keeping records of correspondence, enquiries, feedback or complaints
- Impact assessment and market research, engaging our partners through surveys and communications to grow our network, meet more of the needs of those we support, and to provide feedback to those that support us. This may include using services such as SmartSurvey, as well as the collection of photos, videos and case studies
- To deliver successful events, including sharing data with e.g. caterers and venues
- To meet any legal and contractual obligations we have
Our legal basis for processing personal information
Our legal basis for collecting, storing and using the personal information described in this notice will depend on the reason for collecting it. At all times we will respect your rights. We may process your personal data:
- Where we have a contract with you
- If you have given us consent to do so, such as for the use of photos or case studies
- When it is in our legitimate interests, and it’s not overridden by your rights. This includes:
- Recruiting for staff and volunteers
- To process your contact details where the organisation you work for is interested in working with us
- For charitable organisations in our network, or lapsed within a reasonable period, to send you administrative communications (e.g. order confirmations, service updates) and marketing communications about our services and promoting our aims and ideals
- For corporate partners and funders, both current supporters and lapsed within a reasonable period, to send you administrative and marketing communications about our services and promoting our aims and ideals
- To undertake market and internet research to find new potential partners and to increase our understanding of current partners
- To organise events
- To request feedback such as through surveys to meet more of communities’ needs and understand our impact
- Where we have a legal obligation such as processing payments or for health and safety reasons
Whenever we process your personal information under the ‘legitimate interest’ lawful basis we make sure that we consider your rights and interests. We will not process your personal information if we feel there is not a legitimate reason to do so. We will make it easy for you to opt-out of marketing communications and fundraising activities at any time if you wish. To opt out of such emails, click on the unsubscribe link at the bottom of our messages.
Retaining your data
We will retain your personal information only for as long as necessary, and to the extent needed to comply with our legal obligations, resolve disputes, and enforce our legal agreements and policies. We have determined different retention periods based on the data type and how it is used across our organisation. Usually this will not be for longer than 6 years after your last interaction with us. For some types of data, such as recorded phone calls, this is a number of weeks. Personal data that no longer serves a purpose is securely disposed of or made anonymous so that you are no longer identifiable from it.
If you are unsuccessful in obtaining employment with us, we will hold your data for 12 months to meet our obligations. We may seek your consent to additionally retain your data in case other roles become available which we think you may wish to apply for. You are free to withhold your consent to this.
Do we share your personal information?
We do not sell or trade your data. We may share your data in the following circumstances, to enable us to deliver our work and meet your expectations. Third parties will be required to use any personal information they receive only by our instructions and under a written agreement with us.
- Third parties and suppliers to provide our service:
- Various providers e.g. technical support, to enable us to efficiently run our services
- Consultants supporting specific projects
- Event management, catering and PR services
- Email software providers like dotdigital, to deliver compliant marketing
- Couriers and hauliers to manage the collection and delivery of products
- Employment references for job applications
- Third parties where there is a legal requirement, for example HMRC, law enforcement agencies and the Charity Commission
- Funders, corporate or sector partners and publicly, where you have given consent for your image or case study to be used for such purposes.
Where we share your personal information with other companies or organisations, we do not permit them to send you marketing about them. We take care to ensure that they keep your personal information secure and delete it when it is no longer needed.
Keeping your data safe and secure
The security of your data is important to us. We’ve implemented physical, technical and organisational measures to protect the personal information we have under our control, both on and off-line, from improper access, use, alteration, destruction and loss. No method of transmission over the Internet, or method of storage is 100% secure. We use our best efforts and reasonable means to protect your personal information, and only keep it as long as is reasonable and necessary.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
Our website and servers are hosted in the UK. However, we operate around the world and with global partners. This means that it is possible that personal information we collect from you may be transferred to and stored in a location outside of the UK or the EEA. In those cases, we will comply fully with our legal obligations and take all steps necessary to ensure that your personal information is treated securely and in accordance with legislation.
Please note that certain countries outside of the UK or the EEA have a lower standard of protection for personal information. Where your personal information is processed outside the UK or EEA in a country which does not offer an equivalent standard of protection to the UK or EEA, we will take all reasonable steps necessary to ensure that appropriate safeguards are in place. For instance, we may enter into the European Commission approved standard contractual clauses with such providers.
You have the following rights in relation to the personal information we hold about you:
- Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
- Request correction of any inaccurate personal information that we hold about you.
- Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no lawful reason to continue to process it.
- Object to processing of your personal information where we are relying on a legitimate interest and there is something about your particular situation which makes you want to object to processing on this ground.
- Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
- Request the transfer of your personal information to another party.
- Object to automated decision making. This is when an electronic system uses personal information to decide without human intervention. You have the right to request not to be subject to automated decisions that would have a significant impact on you
- You have the right to decide you do not want to receive marketing communications from us
Please note that some of these rights only apply in certain circumstances and we may not be able to fulfil every request. We may also verify your identity so that we can evidence who is making the request.
Getting in touch
Our Partnerships & Impact Director is responsible for overseeing compliance with this privacy notice. If you have any questions about this notice, or wish to exercise your rights, please contact us at email@example.com or 11-15 St. Mary at Hill, London EC3R 8EE. You have the right to make a complaint to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues.
Updates to this notice
We may update this notice from time to time. We advise you to review this notice periodically. The latest version will always be available on our website with a clear “last updated” date displayed.